Ethical Hacking Boot Camp

Our most popular course!

Skillset

In a pen tester’s life, sooner or later you are cracking a password. This activity depends on the type of password and available hardware.

Today I want show you a different approach to cracking a password. We will focus on how to crack a Wi-Fi WPA2 password.

First of all, it’s important to define this. WPA2 is the most secure protocol that currently exists, as long as it is well-configured with the latest encryption techniques. Nevertheless, I say that WPA2 is the most secure – not that it isn’t hackable. Thanks to the MiTM attack, it is possible to extract an encrypted password. Did you know that?

Ethical Hacking Training – Resources (InfoSec)

I will show you how to redefine an attack on a Wi-Fi password and apply a new approach where resources are potentially unlimited and cost effective.

How many attacks are you familiar with to crack a WPA2 password?

The first that comes to my mind is bruteforcing. But this system wastes resources and we have to live forever to get the results. Not very effective. Let’s start to verify what we need…

We need to get a wordlist. Usually in this stage, someone uses data reconnaissance from a company website or social network account and uses words commonly found to create a combination of likely words.

This approach works if you are very lucky. We don’t need to be lucky; hackers make their own luck. Let’s see what happens when we try to create a word list with Crunch.

1PB! We don’t have this free space on our hard disk.

Who says that we need to store the word list? We can use it in real time…

How? For example, we can use Crunch in Pyrit with pipeline.

Crunch generates all combination of 8 characters, piping the results to Pyrit that will use them to pass through the attack to a .cap file.

Again, the result of this little trick is smart, but it is not efficient. The timing is still too long, and we can’t wait forever. In a real case, we might even wait some years.

CUDA is a powerful kit that boosts your Pyrit by using GPU instead of CPU.

Pyrit has an awesome feature that allows you to attack a capture usign preloaded database. It’s important because it does it by millions per second and creates a table similar to a rainbow table.

In a word, it escalates; meaning we can potentially break any length WPA2 password.

Based on what we did previously, we are going to make this in 3 steps.

Creating a word list length 8 characters:

Upload the word list created to Pyrit DB and create own “rainbow table” (is not a true rainbow table):

Once a password has been imported, we can run a batch command to create a DB.

Simply digit: # pyrit batch

At this time, can we start the attack to the .cap file of the password.

The time of execution required is the same as before with the pipe approach. We don’t have the scalability to execute it in a right manner. It’s necessary to use something more powerful, but buying a new graphics card is not a right solution.

Amazon will help us….

AMAZON LINUX AMI

Amazon provides other kinds of web services, including AMI. The Amazon Linux AMI is a supported and maintained Linux image provided by Amazon Web Services for use on Amazon Elastic Compute Cloud (Amazon EC2). It provides a stable, secure, and high performance execution environment for the NVIDIA GRID GPU Driver AMI, which allows application developers to run NVIDIA GeForce-optimized games and applications from the cloud on Amazon EC2.

AMI gives us a possibility to escalate to the power level that we need. It uses the GPU graphics card instead of CPU, increasing computational calculation.

When you buy the first AMI, it’s empty, without the tools that we require. To do a good job, we’ll require Python, CUDA Pyrit and Crunch.

In this case, we pay Amazon for the hours that we use, we can’t lose time! So first, before we buy AMI services, we need to prepare a ready package with own tools inside.

If we start a benchmark test on Linux AMI we can see soon the difference. Now we have what we want!

Now we can still hack into, potentially, any WPA2 passphrase length. Yes, potentially… we are still at too much time to crack with only one AMI, we need many AMI machines to connect all together and create a distributed service. If we use more AMI servers, we have the maximum escalation possible.

We don’t need too much power for now. I want explain how to crack a password with minimum effort possible.

If you look at online documentation, all theories say to use Crunch to create a huge word list and Pyrit for distributing loads to other AMIs. But there’s a little trick for this.

Step one

Prepare your right tools for the job. We don’t create a production machine but only a template for saving time and performing multi-creations.

Step two

Create a small portion of the word list. This is the main part of the trick ;-) . We don’t know the maximum value of our word list, so we can ask it to Pyrit. If we input a huge value, it will return a maximum value accepted, and this is our number!

Pyrit tells us that it’s too huge a value, and returns the correct parameter as 268435456.

Now we need to put our attention on the size of file created and stop it before we run out of space. To amplify it, start a new VM and continue where we left off.

We see the new file called yyyyy-bbbbb.txt. We’ll need to start from there, check the number of characters, in this case 5, and restart Crunch with the new command.

Step three

Upload all the files to the Pyrit database with the same command used before. You could generate the word file offline and afterward upload it on VM. This way you won’t take up space with useless files. You will upload to one VM and pass it to Pyrit and do manual distribution to other VMs.

Step four

Save the VM as a template. This step could you save time the next time. Go to your EC2 management console, choose the instance (all the instances pre-loaded with the word list), give it a name and choose “create image”.

Step five

Launch all the instances, insert the ESSID in Pyrit, and run the batch.

Conclusion

All the steps might take some time. VM creation, word creation, and uploading to Pyrit database are done just one time. The challenge here was to see how to improve the strategy to crack a Wi-Fi password.

The new clouds and processing power will give us the possibility to perform an attack faster than before and get the best results. Amazon is only a third party actor, and maybe some contract policy now could deny the scope of this paper.

Amazon is an excellent company, and I want to underline that this guide is not for bad things, but a demonstration on how the new technology could be used to perform an attack.

This is a great one. Thanks for the share. One thing that would have been nice for you to have mentioned for clarity is that the guide only explains cracking the captured .cap file. You could have referenced somewhere else or briefly talked about how you capture your packets into the cap file (maybe airodump-ng or something better you use)

jkjl

you lost my time should have advised its an amazon add not say it in the end .

About InfoSec

InfoSec Institute is the best source for high quality information security training. We have been training Information Security and IT Professionals since 1998 with a diverse lineup of relevant training courses. In the past 16 years, over 50,000 individuals have trusted InfoSec Institute for their professional development needs!

Join our newsletter

File download

First Name

Last Name

Work Phone Number

Work Email Address

Job Title

How will you fund your training?

Why Take This Training?

What is your timeline for training?

InfoSec institute respects your privacy and will never use your personal information for anything other than to notify you of your requested course pricing. We will never sell your information to third parties. You will not be spammed.

Comments

What is Skillset?

Skillset

Practice tests & assessments.

Practice for certification success with the Skillset library of over 100,000 practice test questions. We analyze your responses and can determine when you are ready to sit for the test. Along your journey to exam readiness, we will:

1. Determine which required skills your knowledge is sufficient
2. Which required skills you need to work on
3. Recommend specific skills to practice on next
4. Track your progress towards a certification exam